Commit 6c783d37 authored by Tom Evans's avatar Tom Evans

OF-782: Group name encoding issue

Per earlier XSS fix, groupName was being URL-encoded twice; updated to
use local variable that has already been properly encoded.
parent bccab4bf
......@@ -178,7 +178,7 @@ document.searchForm.search.focus();
<%= i %>
</td>
<td width="60%">
<a href="group-edit.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
<a href="group-edit.jsp?group=<%= groupName %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
<% if (group.getDescription() != null) { %>
<br>
<span class="jive-description">
......@@ -195,12 +195,12 @@ document.searchForm.search.focus();
<% // Only show edit and delete options if the groups aren't read-only.
if (!webManager.getGroupManager().isReadOnly()) { %>
<td width="1%" align="center">
<a href="group-edit.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"
<a href="group-edit.jsp?group=<%= groupName %>"
title=<fmt:message key="global.click_edit" />
><img src="images/edit-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
<td width="1%" align="center" style="border-right:1px #ccc solid;">
<a href="group-delete.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"
<a href="group-delete.jsp?group=<%= groupName %>"
title=<fmt:message key="global.click_delete" />
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment